Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2478
Views
5
Helpful
7
Replies

SNMP V3 read only setup

Go to solution
nijamudeen_aziz
Level 1
Level 1

‎01-23-2023 04:59 AM

how to configure SNMP v3 with read only access in switches ? while configurating cisco prime infrastructure with SNMP V3 there is no option for read-only (RO) like SNMP v2c . 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to nijamudeen_aziz

‎01-25-2023 01:29 AM

Hello,

I have been looking around quite a lot, and what I write below might be completely unrelated, but my guess is that Prime actually does not let you set read-only access, due to the way it handles permissions and user roles. I found the below in a previous post:

--> Unfortunately, there is no way to easily create a "read-only" account in Prime Infrastructure.

This is due to the way the permissions are built. The permissions a user gets depend on the Tasks it has been provided access to, and the Tasks refer almost consistently to the menu options of the application.

What you can do, is create a user role that contains only permissions for Tasks that do not involve allowing changes.

This can be done under Administration > User Roles and AAA > User Groups. Click a desired Role name and unselect the checkboxes of tasks that refer to the ability of deploying changes, like: Delete Device Access or Configure Access Points, etc.

It is not ideal, but is the closest we can do. It will be the same in case of Local or AAA users.

View solution in original post

7 Replies 7

Go to solution
marce1000
VIP
VIP

‎01-23-2023 07:36 AM

 

 - FYI : https://itadminguide.com/configure-snmpv3-on-cisco-switch/ , pay attention to the read only part of the particular document , 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2023 08:32 AM

I use below on cat 9K switches :

snmp-server group xxxxxxxxxxxxxx_RO v3 priv access

what version of Prime ?

Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type, and snmpv3_privacy_password columns.

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-8/admin/bk_CiscoPrimeInfrastructure_3_8_AdminGuide/bk_CiscoPrimeInfrastructure_3_8_AdminGuide_appendix_01110.html?bookSearch=true#task_1069928

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
nijamudeen_aziz
Level 1
Level 1

‎01-23-2023 09:01 PM

prime version 3.4,  switch c3650 version-16.12 . below config was done.

switchc3650:

snmp-server group myprofile v3 priv
snmp-server host 192.168.100.10 snmpadmin 
snmp-server user snmpadmin prime-profile v3 auth md5 xxxxxxx priv des xxxxxxxx
snmp-server enable traps

Prime infra 3.4:

profile:myprofile 

snmp:v3

username:myprofile

mode:authpriv

auth:hmac-md5

auth.pwd:xxxxx

note: now it is having read/write access and i want to only read-only. where exactly i have been change access level?

 

 

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to nijamudeen_aziz

‎01-24-2023 12:54 PM

I see your group profile not matching with user  added profile :

snmp-server view ViewDefault iso included
snmp-server group myprofile v3 priv read ViewDefault
snmp-server user snmpadmin myprofile v3 auth md5 xxxxxxx priv des xxxxxxxx

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
nijamudeen_aziz
Level 1
Level 1

‎01-25-2023 12:55 AM

i configured snmp v3 with default parameters , from cisco prime still i can able to change the switch configuration.

i didnt want cisco prime allow to change switch configuration.

 User name: snmpadmin
Engine ID: 8000000903001CDEA7D8AB81
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: prime-profile

groupname: snmpadmin security model:v1
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

groupname: snmpadmin security model:v2c
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

groupname: prime-profile security model:v3 priv
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to nijamudeen_aziz

‎01-25-2023 01:29 AM

Hello,

I have been looking around quite a lot, and what I write below might be completely unrelated, but my guess is that Prime actually does not let you set read-only access, due to the way it handles permissions and user roles. I found the below in a previous post:

--> Unfortunately, there is no way to easily create a "read-only" account in Prime Infrastructure.

This is due to the way the permissions are built. The permissions a user gets depend on the Tasks it has been provided access to, and the Tasks refer almost consistently to the menu options of the application.

What you can do, is create a user role that contains only permissions for Tasks that do not involve allowing changes.

This can be done under Administration > User Roles and AAA > User Groups. Click a desired Role name and unselect the checkboxes of tasks that refer to the ability of deploying changes, like: Delete Device Access or Configure Access Points, etc.

It is not ideal, but is the closest we can do. It will be the same in case of Local or AAA users.

Go to solution
nijamudeen_aziz
Level 1
Level 1

‎01-25-2023 02:49 AM

Thank you for your support. 

0 Helpful
Customers Also Viewed These Support Documents